The same researchers who are responsible for spotting the OSX/Linker malware have also found the CrescentCore malware. To avoid detection from antivirus software and other protection methods, the malware is hidden as a Flash Player installer. Initially, CrescentCore was found on a website that was claiming to be distributing free digital versions of new comic books. Researchers also stated, “A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.” Other sites that were distributing CrescentCore were free movies, TV shows, music, and eBook offers. The malware makes its way into a system by way of a DMG disk image file, disguised as an Adobe Flash Player updater tool. If opened and clicked, the trojan attempts to check if it is operating in a virtual machine. If it finds an antivirus or discovers it’s inside a VM environment it will make its way out and not continue the process. A second variant of the malware was also found during investigations and instead of the Flash Player updater, it installs Advanced Mac cleaner software of a faulty Safari browser extension. Each variant is signed with certificates that are assigned to the developer Sanela Lovice.